Overview
The Metlo CLI can automatically configure traffic mirroring in AWS and GCP to send a copy of your network traffic to Metlo for analysis. This enables real-time API discovery and security monitoring.AWS Traffic Mirroring
Set up traffic mirroring for AWS resources including EC2 instances, network interfaces, ECS services, and Application Load Balancers.Create New Mirror Session
Options
UUID identifier for this mirror configuration. If not provided, a new UUID will be generated.
AWS Region where source and target are located (e.g.,
us-east-1, us-west-2)Target ENI (Elastic Network Interface) ID or EC2 instance ID of your Metlo mirroring instance
Source entity ID to mirror. Format depends on the variant:
- INSTANCE: EC2 instance ID (e.g.,
i-1234567890abcdef0) - NETWORK_INTERFACE: ENI ID (e.g.,
eni-1234567890abcdef0) - ALB: Load balancer name
- ECS:
clusterName,serviceName(comma-separated)
Type of AWS resource to mirror. Options:
INSTANCE- EC2 instanceNETWORK_INTERFACE- Network interfaceALB- Application Load BalancerECS- ECS service
Interactive Mode
If you run the command without options, the CLI will guide you through the setup:Examples
Mirror an EC2 instance:Output
On success, the command displays a cron job configuration for periodic refresh:List Mirror Sessions
List all active traffic mirror sessions in AWS.Remove Mirror Session
Remove a traffic mirror session.GCP Traffic Mirroring
Set up packet mirroring for GCP resources including compute instances, subnets, and tagged instances.Create New Packet Mirroring
Options
Force creation of a new packet mirroring instance even if one already exists. Default: false
Interactive Setup
The GCP traffic mirroring setup is fully interactive. The CLI will guide you through:-
GCP Project Configuration
- Project ID
- Network name (default:
default) - Zone selection
- Path to GCP service account key file
-
Source Selection
- Choose source type:
INSTANCE,SUBNET, orTAG - Provide instance name, subnet name, or tag name
- Choose source type:
-
Metlo Instance Configuration
- Select machine type for the mirror instance
- Provide Metlo backend URL
- Provide Metlo API key
Example
Update Existing Packet Mirroring
If packet mirroring already exists for the specified network (and--force is not used), the CLI will offer to update the existing configuration:
List Packet Mirroring
List all packet mirroring configurations.Remove Packet Mirroring
Remove a packet mirroring configuration.Cleanup Resources
Clean up GCP resources created by Metlo.What Gets Created
AWS Resources
When you create an AWS traffic mirror session, Metlo creates:- Traffic mirror target (pointing to your Metlo instance)
- Traffic mirror filter (allowing all TCP traffic)
- Traffic mirror session(s) (one per network interface)
- Tags with UUID for resource tracking
GCP Resources
When you create GCP packet mirroring, Metlo creates:- Destination subnet for mirror traffic
- Inbound and outbound firewall rules
- Cloud Router (or uses existing compatible router)
- Managed Instance Group for Metlo collector
- Instance template with startup script
- Health check for backend service
- Backend service
- Internal load balancer (forwarding rule)
- Packet mirroring policy
Troubleshooting
AWS
Session already exists error: The CLI automatically deduplicates and skips ENIs that already have Metlo mirror sessions. Invalid credentials: Ensure your AWS credentials are configured (aws configure) and have the necessary permissions for EC2, ECS, and ELB operations.
GCP
Invalid key file: Make sure your GCP service account key file exists and has the required permissions for Compute Engine operations. Node version error: Node.js 16 or higher is required. Usenvm to install a compatible version.